How Mail Order / Telephone Order (MOTO) Works
Customer Initiates the Order
The customer contacts the merchant by phone or sends a paper order form by mail. They provide their card number, expiration date, billing address, and CVV/CVC verbally or in writing. The merchant's agent records this information — without storing sensitive authentication data beyond what is needed for processing.
Agent Enters Card Data into a Virtual Terminal
The agent logs into a virtual terminal — a secure, web-based interface — and manually keys in the card details captured from the customer. This step is also known as manual-keyed entry. The agent may also enter order details, billing address, and any merchant-defined fields for record-keeping.
Authorization Request Is Sent
The payment gateway encrypts the transaction data and forwards it to the acquiring bank, which routes the authorization request to the relevant card network (Visa, Mastercard, Amex, etc.) and on to the issuing bank. The transaction is flagged with a MOTO transaction type indicator (ECI 01 for telephone, ECI 02 for mail order) so that processors and issuers apply the correct interchange rules.
Verification Checks Are Run
Because the cardholder is not physically present, the gateway applies compensating controls: Address Verification Service (AVS) matches the billing address provided against the issuer's records, and the CVV/CVC value is validated. Fraud scoring tools may also analyze velocity, device signals (for digital forms), and behavioral patterns before returning a recommendation.
Authorization Response and Fulfillment
The issuer returns an approval or decline code. On approval, the merchant fulfills the order — shipping goods or delivering services — and the transaction is captured (settled) at end of day or at fulfillment. The cardholder sees the charge on their statement, and the merchant receives funds minus interchange, network fees, and processor margin.
Recordkeeping and Dispute Management
MOTO merchants should retain order forms, call recordings (scrubbed of full card numbers per PCI DSS), delivery confirmations, and any signed authorization agreements. This evidence is critical if the cardholder initiates a chargeback — a risk that is statistically higher for card-not-present channels than for in-person transactions.
Why Mail Order / Telephone Order (MOTO) Matters
MOTO may feel like a legacy channel, but it remains commercially significant across several industries and demographic segments.
Market Size
Telephone and mail order retail in the United States generates over $500 billion in annual revenue, according to U.S. Census Bureau data on non-store retail. A substantial portion of these sales involve card-based MOTO transactions.
Higher fraud exposure, but manageable. Card-not-present fraud — which includes both MOTO and e-commerce — accounted for 73% of all card fraud losses in the United States in recent years, per Nilson Report estimates. However, MOTO-specific fraud rates differ from e-commerce because the human agent introduces an additional verification layer: a trained agent can ask clarifying questions, detect inconsistencies in billing details, and flag suspicious orders before authorization.
Demographic and accessibility relevance. Approximately 15% of U.S. adults do not use the internet regularly, according to Pew Research. For merchants serving elderly customers, customers in low-connectivity regions, or industries with high-value, relationship-driven sales (insurance, financial services, healthcare), MOTO is not a legacy workaround — it is the primary channel. Removing it would exclude a meaningful customer segment.
Interchange economics. Because card networks categorize MOTO transactions under card-not-present interchange tiers, merchants pay a premium over card-present rates. Optimizing acquirer routing and ensuring correct ECI codes are submitted can meaningfully reduce effective processing costs for high-volume MOTO merchants.
Mail Order / Telephone Order (MOTO) vs. E-Commerce CNP
Both MOTO and e-commerce are card-not-present transaction types, but they differ in meaningful ways that affect authentication, fraud tooling, and compliance obligations.
| Dimension | MOTO | E-Commerce CNP |
|---|---|---|
| Order channel | Phone call or paper mail form | Website, app, or digital checkout |
| 3D Secure (3DS) | Not applicable — no web session | Supported; liability shift available |
| Authentication method | AVS + CVV + manual agent review | AVS + CVV + 3DS + device fingerprint |
| ECI code | 01 (telephone) / 02 (mail) | 07 (3DS success) / 06 (attempted) |
| Interchange tier | CNP non-authenticated | CNP authenticated (lower with 3DS) |
| Chargeback liability | Always with merchant | Shifts to issuer when 3DS succeeds |
| PCI DSS SAQ | Typically SAQ C-VT | SAQ A, A-EP, or D depending on setup |
| Fraud tooling | AVS, CVV, velocity, manual review | All of the above + behavioral analytics, device signals |
| Human involvement | Required (agent keys data) | Optional (customer self-serves) |
The key practical difference: e-commerce merchants can reduce chargeback liability through 3DS authentication, while MOTO merchants cannot. This makes strong order documentation and manual review processes more critical in MOTO channels.
Types of Mail Order / Telephone Order (MOTO)
Pure Mail Order (ECI 02) The customer completes a paper order form and mails it with payment card details. Common in catalog retail, magazine subscriptions, and charitable donation campaigns. Processing typically occurs in batch after the form is received and data-entered.
Telephone Order (ECI 01) A customer-service or sales agent takes payment details verbally over the phone. Widely used in insurance, travel, healthcare scheduling, and B2B sales. Real-time authorization is typically processed during the call so the agent can confirm success before ending the conversation.
Recurring MOTO Some merchants use MOTO as the basis for recurring billing — a customer provides card details by phone once, and the merchant stores a token to bill subsequent periods. This requires explicit written or recorded authorization and careful handling of stored-credential transaction flags to qualify for recurring interchange rates.
IVR (Interactive Voice Response) Payments A variant where the customer enters card details via their phone keypad into an automated system, with no live agent involved. IVR payments reduce PCI DSS scope by keeping card data away from human agents entirely and can be processed as MOTO transactions.
Agent-Assisted Web Orders An agent co-browses or completes a web form on behalf of a customer who calls in. Depending on implementation, these may be classified as MOTO or e-commerce — merchants should work with their processor to ensure correct ECI coding.
Best Practices
For Merchants
Use tokenization immediately. Never store raw card numbers beyond the moment of authorization. Integrate with a tokenization service so that only tokens are retained in your order management system. This dramatically reduces PCI DSS scope and breach impact.
Maintain signed or recorded authorizations. For telephone orders, record calls (with appropriate consent disclosures) and retain recordings for at least 18 months. For mail orders, retain the original signed order form. These records are your primary defense in a chargeback dispute.
Train agents on fraud signals. Common MOTO fraud indicators include: billing and shipping addresses that don't match, rush shipping requests on first-time orders, multiple orders with different cards to the same address, and customers who push back when asked security questions. Regular agent training reduces fraud losses more cost-effectively than technology alone for many MOTO merchants.
Implement velocity controls. Set per-card and per-address limits on daily transaction volume at the gateway level. MOTO channels are frequently targeted by card-testing attacks where fraudsters use agents or bots to test stolen card numbers in small increments.
Segment MOTO and e-commerce processing. If you run both channels, use separate merchant IDs (MIDs) or at minimum separate virtual terminals. This keeps interchange categories clean and makes fraud analysis and reporting more actionable.
For Developers
Submit correct ECI values. Ensure your integration always passes ECI 01 for telephone orders and ECI 02 for mail orders. Incorrect or missing ECI values can result in downgrades to less favorable interchange tiers or failed transactions.
Implement AVS and CVV checks at the gateway level. Configure your payment gateway to decline or flag transactions where AVS returns a no-match and CVV fails simultaneously. Both signals together are a strong fraud indicator in MOTO flows.
Scope PCI DSS correctly. If your virtual terminal is hosted by your payment processor and agents access it through a browser without any card data touching your servers, you may qualify for SAQ C-VT — the lightest MOTO SAQ tier. Document this scope clearly and review it annually.
Build audit logging into your agent tooling. Log every field change, authorization attempt, and agent action for every MOTO order. This data supports both fraud investigations and chargeback responses.
Handle stored-credential flags for recurring MOTO. When billing a returning customer against a stored token, submit the correct stored-credential indicators (initial vs. subsequent, merchant-initiated vs. cardholder-initiated). Incorrect flags can trigger declines or increase interchange costs.
Common Mistakes
Recording CVV/CVC values. PCI DSS explicitly prohibits storing CVV/CVC after authorization — not just digitally, but in any form, including paper call logs, handwritten notes, or audio recordings. This is one of the most common PCI violations in telephone order environments and can result in significant fines and card acceptance suspension.
Skipping AVS on low-value orders. Merchants sometimes disable AVS checks below a certain order threshold to reduce false declines. Fraudsters know this and specifically target low-value MOTO transactions for card testing. AVS should be applied consistently regardless of order size.
Failing to get recurring authorization in writing. When enrolling a customer in a recurring billing arrangement over the phone, merchants must obtain explicit, documented consent. Failure to do so is the leading cause of "unauthorized recurring charge" chargebacks — among the hardest MOTO disputes to win without written evidence.
Incorrect transaction type coding. Submitting MOTO transactions with an e-commerce ECI code (or no ECI code) misrepresents the transaction type to the card network. This can trigger compliance reviews, interchange downgrades, and acquirer penalties.
Storing card numbers in CRM or ticketing systems. Agents sometimes paste card numbers into notes fields in CRM, helpdesk, or order management tools outside the PCI-compliant payment environment. This is a critical data security failure. Implement technical controls — such as field masking and clipboard monitoring — to prevent it.
Mail Order / Telephone Order (MOTO) and Tagada
MOTO Optimization with Tagada
Tagada's payment orchestration layer supports MOTO-specific routing logic: transactions flagged with MOTO ECI codes are automatically directed to acquirers that offer the most competitive CNP interchange rates and strongest fraud tooling for telephone and mail order channels. Merchants running both MOTO and e-commerce can manage both flows through a single integration, with per-channel fraud rules, routing waterfalls, and chargeback analytics in one dashboard. Stored-credential token management for recurring MOTO billing is handled natively, ensuring correct transaction flags are submitted on every subsequent charge.